fix(sap_s4hana): ignore baseUrl on cloud_public to prevent token redirection

Why: resolveHost previously preferred baseUrl unconditionally. A caller
sending deploymentType=cloud_public with a baseUrl pointing elsewhere
would obtain a real SAP UAA token, then forward it as Bearer to the
attacker host. Zod superRefine did not validate baseUrl for cloud_public.

Fix: resolveHost now constructs the SAP host from subdomain when
deploymentType is cloud_public and only uses baseUrl for cloud_private
and on_premise (where it is already SSRF-checked in superRefine).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/tools/sap_s4hana/proxy/route.ts

@@ -399,12 +399,15 @@ async function fetchCsrf(
 }
 
 function resolveHost(req: ProxyRequest): string {
-  if (req.baseUrl) {
-    const trimmed = req.baseUrl.replace(/\/+$/, '')
-    return assertSafeExternalUrl(trimmed, 'baseUrl').toString().replace(/\/+$/, '')
+  if (req.deploymentType === 'cloud_public') {
+    const constructed = `https://${req.subdomain}-api.s4hana.ondemand.com`
+    return assertSafeExternalUrl(constructed, 'subdomain').toString().replace(/\/+$/, '')
   }
-  const constructed = `https://${req.subdomain}-api.s4hana.ondemand.com`
-  return assertSafeExternalUrl(constructed, 'subdomain').toString().replace(/\/+$/, '')
+  if (!req.baseUrl) {
+    throw new Error('baseUrl is required for cloud_private and on_premise deployments')
+  }
+  const trimmed = req.baseUrl.replace(/\/+$/, '')
+  return assertSafeExternalUrl(trimmed, 'baseUrl').toString().replace(/\/+$/, '')
 }
 
 function buildOdataUrl(req: ProxyRequest, pathOverride?: string): string {